1 00:00:01,110 --> 00:00:08,610 Before we jump into an example, penetration test, we must know why we showed proof where Metasploit 2 00:00:08,760 --> 00:00:10,680 to manual exploitation techniques. 3 00:00:11,570 --> 00:00:13,230 Is it because of the hacker? 4 00:00:13,860 --> 00:00:17,010 Will that use as a professional or look? 5 00:00:17,310 --> 00:00:23,190 Or is there a different reason when exploit is a preferable choice compared to traditional manual tech 6 00:00:23,190 --> 00:00:26,430 news because of specific factors? 7 00:00:26,820 --> 00:00:28,710 We will discuss this in this lecture. 8 00:00:29,160 --> 00:00:33,600 So first of all, Metasploit is your open source. 9 00:00:33,960 --> 00:00:41,100 One of the top reasons why we should go with Metasploit Framework is because it is open source and actively 10 00:00:41,100 --> 00:00:46,800 developed with various other expensive tools exist for carrying out penetration testing. 11 00:00:47,100 --> 00:00:57,090 However, Metasploit it uses actually its source code and add their own custom modules. 12 00:00:57,570 --> 00:01:00,240 The provisions of Metasploit is chargeable. 13 00:01:00,390 --> 00:01:06,030 But for the sake of learning, the framework edition is mostly preferred. 14 00:01:07,290 --> 00:01:13,560 Support for testing large networks and natural naming conventions using Metasploit is easier. 15 00:01:14,220 --> 00:01:16,740 So now over here. 16 00:01:16,920 --> 00:01:22,560 Ease of use refers to a natural naming conventions for the comments here. 17 00:01:22,560 --> 00:01:23,190 So. 18 00:01:24,890 --> 00:01:30,020 Metasploit offers excellent comfort while conducing a massive network intrusion test. 19 00:01:30,350 --> 00:01:36,950 Consider a scenario where we need to test the network with 200 system instead of checking each system 20 00:01:36,950 --> 00:01:38,630 one after the other. 21 00:01:38,900 --> 00:01:48,080 Metasploit allows us to examine the entire range automatically using parameters such as subnet and classless 22 00:01:48,080 --> 00:01:49,060 internet domain routing. 23 00:01:49,070 --> 00:01:57,950 See IDR values Metasploit tests all the systems to exploit the vulnerability, whereas using manual 24 00:01:57,950 --> 00:02:02,750 techniques he might need to launch exploit manual onto 200 systems. 25 00:02:03,050 --> 00:02:11,390 Data for Metasploit saves a significant amount of time and energy, also Metasploit as smart payload, 26 00:02:11,630 --> 00:02:14,330 payload generation and submission mechanism. 27 00:02:14,660 --> 00:02:18,980 Most importantly, switching between payloads in Metasploit is easy. 28 00:02:20,330 --> 00:02:30,020 I'm sorry Metasploit provides quick access to change pilots using the, uh, here, said payload command. 29 00:02:31,050 --> 00:02:40,230 My comment, so therefore turning the matter operator or shale based excess into a more specific operation, 30 00:02:40,410 --> 00:02:47,310 such as adding a user and getting remote desktop desktop access becomes easy. 31 00:02:47,880 --> 00:02:54,040 Generating sheriff to use in the manual exploits also becomes easier by using the massive amount of 32 00:02:54,050 --> 00:02:59,940 venom application from the command line, which also features encryption in Metasploit. 33 00:03:00,150 --> 00:03:03,420 Five point zero release here. 34 00:03:06,560 --> 00:03:13,310 As you can see here, you can create programs with NSF Momentum Excellence Awards as well. 35 00:03:15,340 --> 00:03:21,850 Clean, it exists, so this is the one of the features of Metasploit, Metasploit is also responsible 36 00:03:21,850 --> 00:03:24,790 for making a much cleaner exit from the system. 37 00:03:25,570 --> 00:03:32,150 It has compromised a custom coded exploit, on the other hand, can crush the system while exiting exit, 38 00:03:32,170 --> 00:03:35,870 exiting its operations, making a clean exit. 39 00:03:35,920 --> 00:03:41,650 Indeed, an essential factor in cases where we know that the service will not restart immediately. 40 00:03:42,010 --> 00:03:44,920 Let's consider a scenario where we have compromised the web. 41 00:03:45,520 --> 00:03:49,690 And while we were making an exit, the exploit application crashed. 42 00:03:50,020 --> 00:03:55,330 The scrutiny of the maintenance time for the server is left with 50 days time on it. 43 00:03:55,630 --> 00:03:57,130 So what do we do? 44 00:03:57,570 --> 00:04:05,680 Shall we wait for the next 50 or the days for the servers to come up again so that we can exploit it 45 00:04:05,680 --> 00:04:06,100 again? 46 00:04:06,430 --> 00:04:11,590 Moreover, what if the servers come back after being patched? 47 00:04:12,190 --> 00:04:14,410 People don't end up kicking ourselves? 48 00:04:14,860 --> 00:04:22,310 This is also a clear sign of poor penetration testing skills that offer a better approach, albeit to 49 00:04:22,390 --> 00:04:23,650 the use of use. 50 00:04:23,660 --> 00:04:28,750 The Metasploit Framework, which is known for making much cleaner exist, as well as offering tools 51 00:04:28,750 --> 00:04:36,070 of post exploitation functions such as persistence, which can help maintain a permanent access to the 52 00:04:36,070 --> 00:04:36,490 server. 53 00:04:38,370 --> 00:04:44,730 So actually, we have reached into the domain controller case study here, so already the basics of 54 00:04:44,730 --> 00:04:51,570 Metasploit, we are all set to perform our penetration tests with Metasploit. 55 00:04:52,050 --> 00:05:01,260 So let's consider an on site scenario where we are asked to test an IP address and check if it is vulnerable 56 00:05:01,290 --> 00:05:02,070 to an attack. 57 00:05:02,730 --> 00:05:08,430 The sole purpose of this test is to ensure all the proper checks are in place, so this scenario is 58 00:05:08,430 --> 00:05:09,450 quite straightforward. 59 00:05:09,810 --> 00:05:15,870 We will presume that all the prior interactions have been carried out with the client and that the actual 60 00:05:15,870 --> 00:05:17,670 testing phase is going to start. 61 00:05:18,390 --> 00:05:29,730 Please refer to the questions here if you have a question site here, if you have any questions here. 62 00:05:31,000 --> 00:05:39,280 So now I want you to using the database in Metasploit DBS status here. 63 00:05:41,030 --> 00:05:48,080 So it's always better push to restore the results automatically when you're conducting penetration test. 64 00:05:48,830 --> 00:05:56,240 You're making use of the databases will help us build the knowledge base of horse services and vulnerabilities 65 00:05:56,240 --> 00:05:57,740 in the scope of penetration tests. 66 00:05:58,950 --> 00:06:04,620 Using databases and Metasploit also speeds up searching and improvise response time. 67 00:06:05,360 --> 00:06:14,400 Uh, so Metasploit 6.0 relies easily on data services such as post curious squirrel database and web 68 00:06:14,400 --> 00:06:18,090 servers in the installation phase. 69 00:06:18,120 --> 00:06:23,880 We learned how to initialize the database and web service for Metasploit to check if MetaStable is currently 70 00:06:23,880 --> 00:06:26,340 connected to a database or a web service. 71 00:06:26,700 --> 00:06:31,650 We can actually, of course, that's our Metasploit yet. 72 00:06:32,720 --> 00:06:40,310 And so to check if my display is currently connected to a database or web servers, we can just type, 73 00:06:40,670 --> 00:06:43,010 uh, actually DB status. 74 00:06:44,290 --> 00:06:50,230 So as you can see here, connected to remote data service to localhost connection type, it's hushed 75 00:06:50,270 --> 00:06:53,980 http connection name is local ETPs data servers. 76 00:06:54,220 --> 00:06:55,480 So let's open this link. 77 00:06:57,040 --> 00:06:59,560 And as you can see here, we have yet comment, David. 78 00:07:02,330 --> 00:07:03,280 So you can save. 79 00:07:09,490 --> 00:07:15,970 So there might be situations where we want to connect to a separate database or a web service, rather 80 00:07:15,970 --> 00:07:18,670 than the default Metasploit database. 81 00:07:19,120 --> 00:07:25,520 In such cases, we can make use of the DB Connect here. 82 00:07:26,250 --> 00:07:28,840 Uh, DB connect or spot the what is it? 83 00:07:29,440 --> 00:07:30,560 Because it gets sent. 84 00:07:31,390 --> 00:07:38,590 So in such, uh, such situations, we can use DB Connect and help. 85 00:07:39,590 --> 00:07:44,670 Unchecked and help, as you can see here we can. 86 00:07:44,730 --> 00:07:47,970 There is a possible connection comments here. 87 00:07:48,930 --> 00:07:51,810 This is the examples and this is the example it. 88 00:07:53,530 --> 00:07:53,890 So. 89 00:07:58,880 --> 00:07:59,750 Sure, here. 90 00:08:02,560 --> 00:08:06,760 Now, I want to be sure you here. 91 00:08:08,010 --> 00:08:18,480 The comments on motorsport, so we can believe this, and now we will start a new home, actually new 92 00:08:19,080 --> 00:08:23,580 text to show you the possible database comments here. 93 00:08:23,850 --> 00:08:26,580 So in us, we have analyzed here. 94 00:08:26,850 --> 00:08:28,770 So this comment? 95 00:08:29,550 --> 00:08:30,210 Analyze. 96 00:08:33,060 --> 00:08:34,890 Database information. 97 00:08:36,380 --> 00:08:45,350 Information about a target IP or a range, and we have DV connect here. 98 00:08:46,220 --> 00:08:55,550 So this command is used, is used to interact, is used to interact. 99 00:08:56,850 --> 00:08:59,880 These was the ways that. 100 00:09:03,190 --> 00:09:05,530 Is used to interact. 101 00:09:07,290 --> 00:09:07,500 Of. 102 00:09:09,790 --> 00:09:10,330 Sorry. 103 00:09:13,040 --> 00:09:23,780 Is it is used to interact, interacts with databases other. 104 00:09:24,700 --> 00:09:28,600 Then the, uh, actually default one. 105 00:09:30,960 --> 00:09:31,340 And. 106 00:09:34,280 --> 00:09:36,280 The old one. 107 00:09:37,980 --> 00:09:43,110 And we have another comment here, which is DB export. 108 00:09:47,150 --> 00:09:50,810 So, uh, this command is used. 109 00:09:51,830 --> 00:09:55,790 Is used to export the entire. 110 00:09:57,430 --> 00:10:11,380 Set of data stored in the database for the sake of the sake of creating reports or as inputs to another. 111 00:10:12,520 --> 00:10:13,540 No other tool. 112 00:10:15,380 --> 00:10:22,310 And we have the we and up here, uh, to be in the in map. 113 00:10:23,140 --> 00:10:29,660 So this comment, the actual these and be in the command command is used. 114 00:10:30,890 --> 00:10:41,600 Or scanning the target with an mop and storing the results in the methods employed. 115 00:10:43,890 --> 00:10:45,690 Lloyd database. 116 00:10:47,650 --> 00:10:54,190 And we have DBE status, but we have used this comment in this lecture. 117 00:10:54,640 --> 00:10:57,190 So you are there to know what I think. 118 00:10:57,430 --> 00:10:58,330 So this comment? 119 00:10:59,780 --> 00:11:04,000 Command is used to check whether. 120 00:11:05,430 --> 00:11:13,530 Uh, were there database connectivity is present or not? 121 00:11:14,310 --> 00:11:23,310 And we have, uh, the disconnect, uh, we have just a few to, uh, that I want to talk about here. 122 00:11:23,790 --> 00:11:24,720 So to be. 123 00:11:26,000 --> 00:11:28,190 Uh, deep disconnect. 124 00:11:31,980 --> 00:11:42,810 So now this command is used to disconnect from a poor particular database. 125 00:11:44,160 --> 00:11:54,870 And we have to import here last month that we will know that this command is used to import results 126 00:11:55,650 --> 00:12:10,080 from other tools like these are such and such, such as these in math and and actually others and others 127 00:12:10,770 --> 00:12:11,220 others. 128 00:12:12,530 --> 00:12:12,950 So. 129 00:12:14,480 --> 00:12:21,560 Now, actually, we have two or three command that I want to help you. 130 00:12:22,240 --> 00:12:33,160 Actually, we have a few comments to write here to which is done database rebuild church. 131 00:12:34,470 --> 00:12:41,970 So this command is used, used to rebuild the church. 132 00:12:43,610 --> 00:12:45,410 If that earlier. 133 00:12:47,100 --> 00:12:56,100 The church gets corrupted or is told with all the results. 134 00:12:58,490 --> 00:13:03,710 And we have to be removed here, they be removed. 135 00:13:04,520 --> 00:13:08,210 So this this is a simple command to this command removes. 136 00:13:09,220 --> 00:13:10,210 This saved. 137 00:13:11,100 --> 00:13:13,410 Data service entry. 138 00:13:15,410 --> 00:13:19,870 And last, commander, we will discuss about is the what's. 139 00:13:21,330 --> 00:13:22,710 They be safe. 140 00:13:23,850 --> 00:13:31,180 What this command does, so this command moment saves the current data. 141 00:13:31,650 --> 00:13:32,760 There is. 142 00:13:35,010 --> 00:13:42,750 His entry as the default saw that on its next start up. 143 00:13:44,380 --> 00:13:50,530 It reconnects who this service by default. 144 00:13:54,820 --> 00:13:59,620 Tourists look like the when starting a new penetration test. 145 00:14:00,310 --> 00:14:08,200 It's always good to separate previously scanned hosts and their respective data from the new penetration 146 00:14:08,200 --> 00:14:10,810 test so that they don't get merged. 147 00:14:11,350 --> 00:14:17,850 But we can do these images before starting a new penetration test by making use of the works of common, 148 00:14:18,410 --> 00:14:19,470 uh, like that. 149 00:14:19,830 --> 00:14:22,760 Here, let's change work. 150 00:14:23,990 --> 00:14:27,110 Face its default workspace. 151 00:14:27,430 --> 00:14:32,640 But way they do like that, uh, wall pays. 152 00:14:33,260 --> 00:14:33,860 But what's? 153 00:14:35,190 --> 00:14:42,000 Age, as you can see here, we can list of experts here and workspace. 154 00:14:42,570 --> 00:14:48,490 We will not be we you can see here we have just one worse, worse. 155 00:14:48,510 --> 00:14:51,270 Well, one, uh, works spacing in. 156 00:14:52,760 --> 00:15:00,320 So to the new workspace, we can use you the workspace, uh, a comment. 157 00:15:00,890 --> 00:15:08,510 Uh, so if I was by then followed by an identified so work space? 158 00:15:08,880 --> 00:15:10,820 Uh, actually not. 159 00:15:11,960 --> 00:15:12,890 Will say it's a. 160 00:15:13,100 --> 00:15:17,300 And then after that, we will test. 161 00:15:18,350 --> 00:15:20,120 SpaceX test, SpaceX, for example. 162 00:15:20,390 --> 00:15:21,860 And we added workspaces here. 163 00:15:22,100 --> 00:15:29,870 So when the UM exhibit is common for space, you can see here we have people than we have. 164 00:15:30,380 --> 00:15:33,470 They have different workspace and we have this space workspace. 165 00:15:34,640 --> 00:15:42,620 So here we can see that we have specifically the new workspace using the Um, this is a switch. 166 00:15:43,520 --> 00:15:47,690 So let's switch the workspace by merely using the workspace comment. 167 00:15:47,990 --> 00:15:52,010 So if it works for its name, uh, here, for example? 168 00:15:52,670 --> 00:15:53,310 No. 169 00:15:55,620 --> 00:16:04,940 Actually, we can also change these workspace work base after, uh, I think this comment. 170 00:16:05,120 --> 00:16:10,190 Just enter your creative workspace name, for example, in my case, is this test space. 171 00:16:11,330 --> 00:16:17,960 As you can see, we are now in space workspace, so we were right like that workspace. 172 00:16:18,260 --> 00:16:21,980 As you can see here, we are working in a workspace this space now. 173 00:16:28,050 --> 00:16:29,280 Um, and. 174 00:16:31,620 --> 00:16:38,340 So we can verify them in the current workspace, using the workspace common where the workspace should 175 00:16:38,340 --> 00:16:47,130 be in red here like that and have this symbol before as a prefix, meaning that the workspace is in 176 00:16:47,130 --> 00:16:48,410 use here. 177 00:16:48,750 --> 00:16:50,460 Let's change this to default. 178 00:16:53,620 --> 00:16:55,120 Workspace default. 179 00:16:58,810 --> 00:17:00,640 No, that's right, workspace again. 180 00:17:02,580 --> 00:17:05,340 As you can see, we are in default work suites.